collection: Allow playbooks to be executed using collection

When available in a collection 'playbooks' directory, playbooks can be directly accessed as roles and modules: 'namespace.collection.playbook'. This allows, for example the deployment roles to be executed with the provided ansible-freeipa playbooks requiring minimal effort from the user part. In order to be accessible, though, the playbooks must not use dash ("-") on the file names, as they are replaced by underscorse ("_") during Ansible processing and then, the files are not found. By renaming the playbooks that, currently, do not set any variable as an usage example, replacing "-" by "_", we allow the FreeIPA collection playbooks to be executed without the user having to search for the correct file, like: $ ansible-playbook -i inventory freeipa.ansible_freeipa.install_server
2026-05-14 05:22:05 +00:00 · 2025-03-17 15:39:07 -03:00
75 changed files with 157 additions and 777 deletions
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -26,7 +26,7 @@ repos:
  - id: yamllint
    files: \.(yaml|yml)$
 - repo: https://github.com/pycqa/flake8
-  rev: 7.2.0
+  rev: 7.0.0
  hooks:
  - id: flake8
 - repo: https://github.com/pycqa/pylint
--- a/README-idrange.md
+++ b/README-idrange.md
@@ -68,6 +68,23 @@ Example playbook to ensure a local domain idrange is present:
      name: local_domain_id_range
      base_id: 150000
      range_size: 200000
 ```
 Example playbook to ensure a local domain idrange is present, with RID and secondary RID base values:
 ```yaml
 ---
 - name: Playbook to manage IPA idrange.
  hosts: ipaserver
  become: no
  tasks:
  - name: Ensure local idrange is present
    ipaidrange:
      ipaadmin_password: SomeADMINpassword
      name: local_domain_id_range
      base_id: 150000000
      range_size: 200000
      rid_base: 1000000
      secondary_rid_base: 200000000
 ```
@@ -155,8 +172,8 @@ Variable | Description | Required
 `name` \| `cn` | The list of idrange name strings. | yes
 `base_id` \| `ipabaseid` | First Posix ID of the range. (int) | yes, if `state: present`
 `range_size` \| `ipaidrangesize` | Number of IDs in the range. (int) | yes, if `state: present`
-`rid_base` \| `ipabaserid` | First RID of the corresponding RID range. (int) | yes, if `idrange_type: ipa-local` and `state: present` |
+`rid_base` \| `ipabaserid` | First RID of the corresponding RID range. (int) | no
-`secondary_rid_base` \| `ipasecondarybaserid` | First RID of the secondary RID range. (int) | yes, if `idrange_type: ipa-local` and `state: present` |
+`secondary_rid_base` \| `ipasecondarybaserid` | First RID of the secondary RID range. (int) | no
 `dom_sid` \| `ipanttrusteddomainsid` | Domain SID of the trusted domain. | no
 `idrange_type` \| `iparangetype` | ID range type, one of `ipa-ad-trust`, `ipa-ad-trust-posix`, `ipa-local`. Only valid if idrange does not exist. | no
 `dom_name` \| `ipanttrusteddomainname` | Name of the trusted domain. Can only be used when `ipaapi_context: server`. | no
--- a/infra/azure/azure-pipelines.yml
+++ b/infra/azure/azure-pipelines.yml
@@ -3,7 +3,7 @@ trigger:
 - master
 pool:
-  vmImage: 'ubuntu-24.04'
+  vmImage: 'ubuntu-20.04'
 variables:
  ansible_version: "-core >=2.16,<2.17"
--- a/infra/azure/nightly.yml
+++ b/infra/azure/nightly.yml
@@ -10,7 +10,7 @@ schedules:
 trigger: none
 pool:
-  vmImage: 'ubuntu-24.04'
+  vmImage: 'ubuntu-20.04'
 variables:
  # We need to have two sets, as c8s is not supported by all ansible versions
--- a/infra/azure/pr-pipeline.yml
+++ b/infra/azure/pr-pipeline.yml
@@ -3,7 +3,7 @@ trigger:
 - master
 pool:
-  vmImage: 'ubuntu-24.04'
+  vmImage: 'ubuntu-20.04'
 variables:
  distros: "fedora-latest,c10s,c9s,c8s,fedora-rawhide"
--- a/infra/image/build.sh
+++ b/infra/image/build.sh
@@ -119,6 +119,13 @@ then
        deployed=true
    fi
    echo
    if $deployed; then
        log info "= Enabling services ="
        container_exec "${name}" systemctl enable fixnet
        container_exec "${name}" systemctl enable fixipaip
        echo
    fi
    container_stop "${name}"
--- a/infra/image/dockerfile/c10s
+++ b/infra/image/dockerfile/c10s
@@ -31,8 +31,6 @@ COPY system-service/fixipaip.sh /root/
 COPY system-service/fixnet.service /etc/systemd/system/
 COPY system-service/fixipaip.service /etc/systemd/system/
 RUN chmod +x /root/fixnet.sh /root/fixipaip.sh
 RUN systemctl enable fixnet.service
 RUN systemctl enable fixipaip.service
 STOPSIGNAL RTMIN+3
--- a/infra/image/dockerfile/c8s
+++ b/infra/image/dockerfile/c8s
@@ -34,8 +34,6 @@ COPY system-service/fixipaip.sh /root/
 COPY system-service/fixnet.service /etc/systemd/system/
 COPY system-service/fixipaip.service /etc/systemd/system/
 RUN chmod +x /root/fixnet.sh /root/fixipaip.sh
 RUN systemctl enable fixnet.service
 RUN systemctl enable fixipaip.service
 STOPSIGNAL RTMIN+3
--- a/infra/image/dockerfile/c9s
+++ b/infra/image/dockerfile/c9s
@@ -30,8 +30,6 @@ COPY system-service/fixipaip.sh /root/
 COPY system-service/fixnet.service /etc/systemd/system/
 COPY system-service/fixipaip.service /etc/systemd/system/
 RUN chmod +x /root/fixnet.sh /root/fixipaip.sh
 RUN systemctl enable fixnet.service
 RUN systemctl enable fixipaip.service
 STOPSIGNAL RTMIN+3
--- a/infra/image/dockerfile/fedora-latest
+++ b/infra/image/dockerfile/fedora-latest
@@ -33,8 +33,6 @@ COPY system-service/fixipaip.sh /root/
 COPY system-service/fixnet.service /etc/systemd/system/
 COPY system-service/fixipaip.service /etc/systemd/system/
 RUN chmod +x /root/fixnet.sh /root/fixipaip.sh
 RUN systemctl enable fixnet.service
 RUN systemctl enable fixipaip.service
 STOPSIGNAL RTMIN+3
--- a/infra/image/dockerfile/fedora-rawhide
+++ b/infra/image/dockerfile/fedora-rawhide
@@ -33,8 +33,6 @@ COPY system-service/fixipaip.sh /root/
 COPY system-service/fixnet.service /etc/systemd/system/
 COPY system-service/fixipaip.service /etc/systemd/system/
 RUN chmod +x /root/fixnet.sh /root/fixipaip.sh
 RUN systemctl enable fixnet.service
 RUN systemctl enable fixipaip.service
 STOPSIGNAL RTMIN+3
--- a/infra/image/shcontainer
+++ b/infra/image/shcontainer
@@ -4,20 +4,13 @@
 SCRIPTDIR="$(dirname -- "$(readlink -f "${BASH_SOURCE[0]}")")"
 TOPDIR="$(readlink -f "${SCRIPTDIR}/../..")"
 # shellcheck disable=SC1091
 . "${SCRIPTDIR}/shdefaults"
 # shellcheck disable=SC1091
 . "${TOPDIR}/utils/shfun"
 container_create() {
    local name=${1}
    local image=${2}
    shift 2
-    declare -a extra_opts
+    declare -a extra_opts=()
    readarray -t extra_opts < \
        <(sed -e "s/-/--cap-drop=/g" -e "s/+/--cap-add=/g" \
        <<< "$(printf '%s\n' "${CAP_DEFAULTS[@]}")")
    for opt in "$@"
    do
        [ -z "${opt}" ] && continue
@@ -26,7 +19,6 @@ container_create() {
            cpus=*) extra_opts+=("--${opt}") ;;
            memory=*) extra_opts+=("--${opt}") ;;
            capabilities=*) extra_opts+=("--cap-add=${opt##*=}") ;;
            volume=*) extra_opts+=("--volume=${opt##*=}") ;;
            *) log error "container_create: Invalid option: ${opt}" ;;
        esac
    done
@@ -55,19 +47,6 @@ container_start() {
    log info "= Starting ${name} ="
    podman start "${name}"
    # Add host entry to /etc/hosts
    ip=$(podman inspect "${name}" --format "{{.NetworkSettings.IPAddress}}")
    hostname=$(podman inspect "${name}" --format "{{.Config.Hostname}}")
    if [ -n "${ip}" ] && [ -n "${hostname}" ]; then
        cmd=$(cat <<EOF
 sed -i -E "/\s+${hostname}(\s|$)/d" /etc/hosts
 echo -e "$ip\t${hostname} ${hostname%%.*}" >> /etc/hosts
 EOF
           )
        podman exec "${name}" bash -c "$cmd"
    fi
    # Ensure /etc/shadow is readable
    podman exec "${name}" bash -c "chmod u+r /etc/shadow"
    echo
 }
@@ -216,15 +195,3 @@ container_fetch() {
    podman cp "${name}:${source}" "${destination}"
    echo
 }
 container_tee() {
    local name=${1}
    local destination=${2}
    tmpfile=$(mktemp /tmp/container-temp.XXXXXX)
    log info "= Creating ${name}:${destination} from stdin ="
    cat - > "${tmpfile}"
    podman cp "${tmpfile}" "${name}:${destination}"
    rm "${tmpfile}"
    echo
 }
--- a/infra/image/shdefaults
+++ b/infra/image/shdefaults
@@ -1,9 +0,0 @@
 #!/bin/bash -eu
 # This file is meant to be source'd by other scripts
 # Set default capabilities options for freeipa containers.
 # Use +CAP to add the capability and -CAP to drop the capability.
 CAP_DEFAULTS=(
    "+DAC_READ_SEARCH"  # Required for SSSD
    "+SYS_PTRACE"       # Required for debugging
 )
--- a/infra/image/system-service/fixipaip.service
+++ b/infra/image/system-service/fixipaip.service
@@ -1,7 +1,6 @@
 [Unit]
 Description=Fix IPA server IP in IPA Server
 After=ipa.service
 PartOf=ipa.service
 [Service]
 Type=oneshot
@@ -10,4 +9,4 @@ StandardOutput=journal
 StandardError=journal
 [Install]
-WantedBy=ipa.service
+WantedBy=default.target
--- a/infra/image/system-service/fixipaip.sh
+++ b/infra/image/system-service/fixipaip.sh
@@ -50,9 +50,9 @@ if [ -z "${FORWARDER}" ] || [ "${FORWARDER}" == "127.0.0.1" ]; then
 fi
 echo "Fix IPA:"
-echo "  HOSTNAME:  '${HOSTNAME}'"
+echo "  HOSTNAME: '${HOSTNAME}'"
-echo "  IP:        '${IP}'"
+echo "  IP: '${IP}'"
-echo "  PTR:       '${PTR}'"
+echo "  PTR: '${PTR}'"
 echo "  FORWARDER: '${FORWARDER}'"
 ZONES=$(ipa -e in_server=true dnszone-find --name-from-ip="${HOSTNAME}." \
--- a/infra/image/system-service/fixnet.service
+++ b/infra/image/system-service/fixnet.service
@@ -1,5 +1,8 @@
 [Unit]
-Description=Fix /etc/hosts and with local DNS also /etc/resolv.conf
+Description=Fix server IP in IPA Server
 Wants=network.target
 After=network.target
 Before=ipa.service
 [Service]
 Type=oneshot
@@ -8,4 +11,4 @@ StandardOutput=journal
 StandardError=journal
 [Install]
-WantedBy=container-ipa.target
+WantedBy=ipa.service
--- a/infra/image/system-service/fixnet.sh
+++ b/infra/image/system-service/fixnet.sh
@@ -39,35 +39,26 @@ if [ -z "${IP}" ] || ! valid_ipv4 "${IP}" ; then
    exit 1
 fi
 DOMAIN=${HOSTNAME#*.}
 echo "Fix NET:"
 echo "  HOSTNAME: '${HOSTNAME}'"
-echo "  DOMAIN:   '${DOMAIN}'"
+echo "  IP: '${IP}'"
 echo "  IP:       '${IP}'"
 echo
-# /etc/hosts
+if grep -qE "^[^(#\s*)][0-9\.]+\s$HOSTNAME(\s|$)" /etc/hosts
-
+then
-sed -i -E "/\s+${HOSTNAME}(\s|$)/d" /etc/hosts
+    sed -i.bak -e "s/.*${HOSTNAME}/${IP}\t${HOSTNAME}/" /etc/hosts
-echo -e "$IP\t${HOSTNAME} ${HOSTNAME%%.*}" >> /etc/hosts
+else
-
+    echo -e "$IP\t${HOSTNAME} ${HOSTNAME%%.*}" >> /etc/hosts
-echo "/etc/hosts:"
+fi
 cat "/etc/hosts"
 # /etc/resolv.conf
 # If bind is not installed, exit
 [ -f "/etc/named.conf" ] || exit 0
 # If dyndb is not enabled for bind, exit
 grep -q '^dyndb "ipa"' "/etc/named.conf" || exit 0
 cp -a /etc/resolv.conf /etc/resolv.conf.fixnet
 cat > /etc/resolv.conf <<EOF
-search ${DOMAIN}
+search ${HOSTNAME#*.}
 nameserver 127.0.0.1
 EOF
 echo "/etc/hosts:"
 cat "/etc/hosts"
 echo
 echo "/etc/resolv.conf:"
 cat "/etc/resolv.conf"
--- a/playbooks/backup_server.yml
+++ b/playbooks/backup_server.yml
--- a/playbooks/backup_server_to_controller.yml
+++ b/playbooks/backup_server_to_controller.yml
--- a/playbooks/copy_all_backups_from_server.yml
+++ b/playbooks/copy_all_backups_from_server.yml
--- a/playbooks/install_client.yml
+++ b/playbooks/install_client.yml
--- a/playbooks/install_cluster.yml
+++ b/playbooks/install_cluster.yml
--- a/playbooks/install_replica.yml
+++ b/playbooks/install_replica.yml
--- a/playbooks/install_server.yml
+++ b/playbooks/install_server.yml
--- a/playbooks/install_smartcard_clients.yml
+++ b/playbooks/install_smartcard_clients.yml
--- a/playbooks/install_smartcard_replicas.yml
+++ b/playbooks/install_smartcard_replicas.yml
--- a/playbooks/install_smartcard_server.yml
+++ b/playbooks/install_smartcard_server.yml
--- a/playbooks/install_smartcard_servers.yml
+++ b/playbooks/install_smartcard_servers.yml
--- a/playbooks/remove_all_backups_from_server.yml
+++ b/playbooks/remove_all_backups_from_server.yml
--- a/playbooks/uninstall_client.yml
+++ b/playbooks/uninstall_client.yml
--- a/playbooks/uninstall_cluster.yml
+++ b/playbooks/uninstall_cluster.yml
--- a/playbooks/uninstall_replica.yml
+++ b/playbooks/uninstall_replica.yml
--- a/playbooks/uninstall_server.yml
+++ b/playbooks/uninstall_server.yml
--- a/plugins/modules/ipaidrange.py
+++ b/plugins/modules/ipaidrange.py
@@ -281,14 +281,6 @@ def main():
    # Connect to IPA API
    with ansible_module.ipa_connect():
        # set required fields
        required = ["base_id", "range_size"]
        requires_baserid = (
            ansible_module.ipa_command_param_exists("config_mod", "enable_sid")
            and idrange_type in [None, "ipa-local"]
        )
        if requires_baserid:
            required.extend(["rid_base", "secondary_rid_base"])
        commands = []
        for name in names:
@@ -329,18 +321,6 @@ def main():
                            del args["iparangetype"]
                        commands.append([name, "idrange_mod", args])
                else:
                    # Check if required parameters were given
                    missing_params = [
                        pname for pname in required
                        if ansible_module.params_get(pname) is None
                    ]
                    if missing_params:
                        ansible_module.fail_json(
                            msg=(
                                "Missing required parameters: %s"
                                % (", ".join(missing_params))
                            )
                        )
                    commands.append([name, "idrange_add", args])
            elif state == "absent":
--- a/requirements-dev.txt
+++ b/requirements-dev.txt
@@ -1,7 +1,7 @@
 -r requirements-tests.txt
 ipdb==0.13.4
 pre-commit==2.20.0
-flake8
+flake8==7.0.0
 flake8-bugbear
 pylint>=3.2
 wrapt==1.14.1
--- a/roles/ipaclient/README.md
+++ b/roles/ipaclient/README.md
@@ -202,8 +202,6 @@ Variable | Description | Required
 `ipaclient_request_cert` | The bool value defines if the certificate for the machine wil be requested. The certificate will be stored in /etc/ipa/nssdb under the nickname "Local IPA host". . `ipaclient_request_cert` defaults to `no`. The option is deprecated and will be removed in a future release. | no
 `ipaclient_keytab` | The string value contains the path on the node of a backup host keytab from a previous enrollment. | no
 `ipaclient_automount_location` | Automount location | no
 `ipaclient_dns_over_tls` | Configure DNS over TLS. Requires FreeIPA version 4.12.5 or later. (bool, default: false) | no
 `ipaclient_no_dnssec_validation` | Disable DNSSEC validation for DNS over TLS. This turns off DNSSEC validation for unbound. Ignored if `ipaserver_dns_over_tls` is not enabled. (bool, default: false) | no
 Server Variables
--- a/roles/ipaclient/defaults/main.yml
+++ b/roles/ipaclient/defaults/main.yml
@@ -26,8 +26,6 @@ ipasssd_enable_dns_updates: no
 ipasssd_no_krb5_offline_passwords: no
 ipasssd_preserve_sssd: no
 ipaclient_request_cert: no
 ipaclient_dns_over_tls: no
 ipaclient_no_dnssec_validation: no
 ### packages ###
 ipaclient_install_packages: yes
--- a/roles/ipaclient/library/ipaclient_setup_nss.py
+++ b/roles/ipaclient/library/ipaclient_setup_nss.py
@@ -86,16 +86,6 @@ options:
    type: bool
    required: no
    default: no
  dns_over_tls:
    description: Configure DNS over TLS
    type: bool
    default: no
    required: no
  no_dnssec_validation:
    description: Disable DNSSEC validation for DNS over TLS
    type: bool
    default: no
    required: no
  enable_dns_updates:
    description: |
      Configures the machine to attempt dns updates when the ip address
@@ -222,9 +212,7 @@ def main():
            mkhomedir=dict(required=False, type='bool'),
            on_master=dict(required=False, type='bool'),
            dnsok=dict(required=False, type='bool', default=False),
-            dns_over_tls=dict(required=False, type='bool', default=False),
+
            no_dnssec_validation=dict(required=False, type='bool',
                                      default=False),
            enable_dns_updates=dict(required=False, type='bool'),
            all_ip_addresses=dict(required=False, type='bool', default=False),
            ip_addresses=dict(required=False, type='list', elements='str',
@@ -261,8 +249,6 @@ def main():
    options.mkhomedir = module.params.get('mkhomedir')
    options.on_master = module.params.get('on_master')
    dnsok = module.params.get('dnsok')
    options.dns_over_tls = module.params.get('dns_over_tls')
    options.no_dnssec_validation = module.params.get('no_dnssec_validation')
    fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
    statestore = sysrestore.StateFile(paths.IPA_CLIENT_SYSRESTORE)
@@ -270,7 +256,6 @@ def main():
    os.environ['KRB5CCNAME'] = paths.IPA_DNS_CCACHE
    options.dns_updates = module.params.get('enable_dns_updates')
    options.dns_over_tls = module.params.get('dns_over_tls')
    options.all_ip_addresses = module.params.get('all_ip_addresses')
    options.ip_addresses = ansible_module_get_parsed_ip_addresses(module)
    options.request_cert = module.params.get('request_cert')
@@ -294,7 +279,7 @@ def main():
    options.no_sssd = False
    options.sssd = not options.no_sssd
    options.no_ac = False
-    options.dns_over_tls = module.params.get('dns_over_tls')
+    options.dns_over_tls = False
    nosssd_files = module.params.get('nosssd_files')
    selinux_works = module.params.get('selinux_works')
    krb_name = module.params.get('krb_name')
@@ -355,19 +340,17 @@ def main():
                                                      ca_subject)
        ca_certs_trust = [(c, n,
                           certstore.key_policy_to_trust_flags(t, True, u))
-                          for (c, n, t, u) in [x[0:4] for x in ca_certs]]
+                          for (c, n, t, u) in ca_certs]
        if hasattr(paths, "KDC_CA_BUNDLE_PEM"):
            x509.write_certificate_list(
-                [c for c, n, t, u in [x[0:4] for x in ca_certs]
+                [c for c, n, t, u in ca_certs if t is not False],
                    if t is not False],
                paths.KDC_CA_BUNDLE_PEM,
                # mode=0o644
            )
        if hasattr(paths, "CA_BUNDLE_PEM"):
            x509.write_certificate_list(
-                [c for c, n, t, u in [x[0:4] for x in ca_certs]
+                [c for c, n, t, u in ca_certs if t is not False],
                    if t is not False],
                paths.CA_BUNDLE_PEM,
                # mode=0o644
            )
@@ -388,11 +371,7 @@ def main():
        tasks.insert_ca_certs_into_systemwide_ca_store(ca_certs)
        if not options.on_master:
-            argspec_client_dns = getargspec(client_dns)
+            client_dns(cli_server[0], hostname, options)
            if "statestore" in argspec_client_dns.args:
                client_dns(cli_server[0], hostname, options, statestore)
            else:
                client_dns(cli_server[0], hostname, options)
        if hasattr(paths, "SSH_CONFIG_DIR"):
            ssh_config_dir = paths.SSH_CONFIG_DIR
--- a/roles/ipaclient/library/ipaclient_setup_sssd.py
+++ b/roles/ipaclient/library/ipaclient_setup_sssd.py
@@ -91,11 +91,6 @@ options:
      changes
    type: bool
    required: no
  dns_over_tls:
    description: Configure DNS over TLS
    type: bool
    default: no
    required: no
  preserve_sssd:
    description: Preserve old SSSD configuration if possible
    type: bool
@@ -145,7 +140,6 @@ def main():
            fixed_primary=dict(required=False, type='bool'),
            permit=dict(required=False, type='bool'),
            enable_dns_updates=dict(required=False, type='bool'),
            dns_over_tls=dict(required=False, type='bool', default=False),
            preserve_sssd=dict(required=False, type='bool'),
            no_krb5_offline_passwords=dict(required=False, type='bool'),
        ),
@@ -175,13 +169,11 @@ def main():
    options.primary = module.params.get('fixed_primary')
    options.permit = module.params.get('permit')
    options.dns_updates = module.params.get('enable_dns_updates')
    options.dns_over_tls = module.params.get('dns_over_tls')
    options.preserve_sssd = module.params.get('preserve_sssd')
    options.no_krb5_offline_passwords = module.params.get(
        'no_krb5_offline_passwords')
    options.krb5_offline_passwords = not options.no_krb5_offline_passwords
    options.dns_over_tls = False
    fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
    client_domain = hostname[hostname.find(".") + 1:]
--- a/roles/ipaclient/library/ipaclient_test.py
+++ b/roles/ipaclient/library/ipaclient_test.py
@@ -124,16 +124,6 @@ options:
    type: bool
    required: no
    default: no
  dns_over_tls:
    description: Configure DNS over TLS
    type: bool
    default: no
    required: no
  no_dnssec_validation:
    description: Disable DNSSEC validation for DNS over TLS
    type: bool
    default: no
    required: no
  enable_dns_updates:
    description:
      Configures the machine to attempt dns updates when the ip address
@@ -258,8 +248,7 @@ from ansible.module_utils.ansible_ipa_client import (
    CLIENT_INSTALL_ERROR, tasks, check_ldap_conf, timeconf, constants,
    validate_hostname, nssldap_exists, gssapi, remove_file,
    check_ip_addresses, ipadiscovery, print_port_conf_info,
-    IPA_PYTHON_VERSION, getargspec, services,
+    IPA_PYTHON_VERSION, getargspec
    CLIENT_SUPPORTS_NO_DNSSEC_VALIDATION
 )
@@ -339,9 +328,6 @@ def main():
                              default=None),
            all_ip_addresses=dict(required=False, type='bool', default=False),
            on_master=dict(required=False, type='bool', default=False),
            dns_over_tls=dict(required=False, type='bool', default=False),
            no_dnssec_validation=dict(required=False, type='bool',
                                      default=False),
            # sssd
            enable_dns_updates=dict(required=False, type='bool',
                                    default=False),
@@ -370,8 +356,6 @@ def main():
    options.ip_addresses = module.params.get('ip_addresses')
    options.all_ip_addresses = module.params.get('all_ip_addresses')
    options.on_master = module.params.get('on_master')
    options.dns_over_tls = module.params.get('dns_over_tls')
    options.no_dnssec_validation = module.params.get('no_dnssec_validation')
    options.enable_dns_updates = module.params.get('enable_dns_updates')
    # Get domain from first server if domain is not set, but if there are
@@ -381,16 +365,6 @@ def main():
            options.domain_name = options.servers[0][
                options.servers[0].find(".") + 1:]
    if options.dns_over_tls \
       and not services.knownservices["unbound"].is_installed():
        module.fail_json(
            msg="To enable DNS over TLS, package ipa-client-encrypted-dns "
            "must be installed.")
    if options.dns_over_tls and not CLIENT_SUPPORTS_NO_DNSSEC_VALIDATION:
        module.fail_json(
            msg="Important patches for DNS over TLS are missing in your IPA "
            "version.")
    try:
        self = options
--- a/roles/ipaclient/module_utils/ansible_ipa_client.py
+++ b/roles/ipaclient/module_utils/ansible_ipa_client.py
@@ -231,6 +231,8 @@ try:
                        cli_realm, cli_domain, cli_server, cli_kdc, dnsok,
                        filename, client_domain, client_hostname, force=False,
                        configure_sssd=True):
                    # pylint: disable=global-variable-not-assigned
                    global options
                    options.force = force
                    options.sssd = configure_sssd
                    return ipa_client_install.configure_krb5_conf(
@@ -310,15 +312,6 @@ try:
        except ImportError:
            configure_selinux_for_client = None
        try:
            CLIENT_SUPPORTS_NO_DNSSEC_VALIDATION = False
            from ipaclient.install.client import ClientInstallInterface
        except ImportError:
            pass
        else:
            if hasattr(ClientInstallInterface, "no_dnssec_validation"):
                CLIENT_SUPPORTS_NO_DNSSEC_VALIDATION = True
        logger = logging.getLogger("ipa-client-install")
        root_logger = logger
--- a/roles/ipaclient/tasks/install.yml
+++ b/roles/ipaclient/tasks/install.yml
@@ -1,23 +1,11 @@
 ---
 # tasks file for ipaclient
- name: Install - Package installation
+- name: Install - Ensure that IPA client packages are installed
  ansible.builtin.package:
    name: "{{ ipaclient_packages }}"
    state: present
  when: ipaclient_install_packages | bool
  block:
  - name: Install - Set packages for installation
    ansible.builtin.set_fact:
      _ipapackages: "{{ ipaclient_packages }}"
  - name: Install - Set packages for installlation, add DOT
    ansible.builtin.set_fact:
      _ipapackages: "{{ _ipapackages + ipaclient_packages_dot }}"
    when: ipaclient_dns_over_tls | bool
  - name: Install - Ensure that packages are installed
    ansible.builtin.package:
      name: "{{ _ipapackages }}"
      state: present
 - name: Install - Set ipaclient_servers
  ansible.builtin.set_fact:
@@ -50,7 +38,7 @@
      msg: "ipaclient_domain or ipaserver_domain is required for ipaclient_configure_dns_resolver"
    when: ipaserver_domain is not defined and ipaclient_domain is not defined
-  - name: Install - Fail on missing ipaclient_dns_servers
+  - name: Install - Fail on missing ipaclient_servers
    ansible.builtin.fail:
      msg: "ipaclient_dns_servers is required for ipaclient_configure_dns_resolver"
    when: ipaclient_dns_servers is not defined
@@ -81,10 +69,9 @@
    ip_addresses: "{{ ipaclient_ip_addresses | default(omit) }}"
    all_ip_addresses: "{{ ipaclient_all_ip_addresses }}"
    on_master: "{{ ipaclient_on_master }}"
    dns_over_tls: "{{ ipaclient_dns_over_tls }}"
    no_dnssec_validation: "{{ ipaclient_no_dnssec_validation }}"
    ### sssd ###
-    enable_dns_updates: "{{ ipasssd_enable_dns_updates }}"
+    enable_dns_updates: "{{ ipassd_enable_dns_updates
                            | default(ipasssd_enable_dns_updates) }}"
  register: result_ipaclient_test
 - name: Install - Client deployment
@@ -334,12 +321,16 @@
        no_sshd: "{{ ipaclient_no_sshd }}"
        no_sudo: "{{ ipaclient_no_sudo }}"
        all_ip_addresses: "{{ ipaclient_all_ip_addresses }}"
-        fixed_primary: "{{ ipasssd_fixed_primary }}"
+        fixed_primary: "{{ ipassd_fixed_primary
-        permit: "{{ ipasssd_permit }}"
+                           | default(ipasssd_fixed_primary) }}"
-        enable_dns_updates: "{{ ipasssd_enable_dns_updates }}"
+        permit: "{{ ipassd_permit | default(ipasssd_permit) }}"
-        dns_over_tls: "{{ ipaclient_dns_over_tls }}"
+        enable_dns_updates: "{{ ipassd_enable_dns_updates
-        preserve_sssd: "{{ ipasssd_preserve_sssd }}"
+                                | default(ipasssd_enable_dns_updates) }}"
-        no_krb5_offline_passwords: "{{ ipasssd_no_krb5_offline_passwords }}"
+        preserve_sssd: "{{ ipassd_preserve_sssd
                           | default(ipasssd_preserve_sssd) }}"
        no_krb5_offline_passwords:
          "{{ ipassd_no_krb5_offline_passwords
              | default(ipasssd_no_krb5_offline_passwords) }}"
    - name: Install - IPA API calls for remaining enrollment parts
      ipaclient_api:
@@ -374,20 +365,23 @@
        ca_enabled: "{{ result_ipaclient_api.ca_enabled }}"
        on_master: "{{ ipaclient_on_master }}"
        dnsok: "{{ result_ipaclient_test.dnsok }}"
-        enable_dns_updates: "{{ ipasssd_enable_dns_updates }}"
+        enable_dns_updates: "{{ ipassd_enable_dns_updates
-        dns_over_tls: "{{ ipaclient_dns_over_tls }}"
+                                | default(ipasssd_enable_dns_updates) }}"
        no_dnssec_validation: "{{ ipaclient_no_dnssec_validation }}"
        all_ip_addresses: "{{ ipaclient_all_ip_addresses }}"
        ip_addresses: "{{ ipaclient_ip_addresses | default(omit) }}"
        request_cert: "{{ ipaclient_request_cert }}"
-        preserve_sssd: "{{ ipasssd_preserve_sssd }}"
+        preserve_sssd: "{{ ipassd_preserve_sssd
                           | default(ipasssd_preserve_sssd) }}"
        no_ssh: "{{ ipaclient_no_ssh }}"
        no_sshd: "{{ ipaclient_no_sshd }}"
        no_sudo: "{{ ipaclient_no_sudo }}"
        subid: "{{ ipaclient_subid }}"
-        fixed_primary: "{{ ipasssd_fixed_primary }}"
+        fixed_primary: "{{ ipassd_fixed_primary
-        permit: "{{ ipasssd_permit }}"
+                           | default(ipasssd_fixed_primary) }}"
-        no_krb5_offline_passwords: "{{ ipasssd_no_krb5_offline_passwords }}"
+        permit: "{{ ipassd_permit | default(ipasssd_permit) }}"
        no_krb5_offline_passwords:
          "{{ ipassd_no_krb5_offline_passwords
              | default(ipasssd_no_krb5_offline_passwords) }}"
        no_dns_sshfp: "{{ ipaclient_no_dns_sshfp }}"
        nosssd_files: "{{ result_ipaclient_test.nosssd_files }}"
        selinux_works: "{{ result_ipaclient_test.selinux_works }}"
--- a/roles/ipaclient/vars/Debian-10.yml
+++ b/roles/ipaclient/vars/Debian-10.yml
@@ -1,7 +1,6 @@
 ---
 # vars/Debian.yml
 ipaclient_packages: [ "freeipa-client" ]
 ipaclient_packages_dot: [ ]
 # Debian Buster must use python2 as Python interpreter due
 # to the way freeipa-client package is defined.
 # You must install package python2.7 before executing this role.
--- a/roles/ipaclient/vars/Debian.yml
+++ b/roles/ipaclient/vars/Debian.yml
@@ -2,4 +2,3 @@
 # vars/Debian.yml
 ---
 ipaclient_packages: [ "freeipa-client" ]
 ipaclient_packages_dot: [ ]
--- a/roles/ipaclient/vars/RedHat-7.yml
+++ b/roles/ipaclient/vars/RedHat-7.yml
@@ -2,4 +2,3 @@
 # vars/RedHat-7
 ---
 ipaclient_packages: [ "ipa-client", "libselinux-python" ]
 ipaclient_packages_dot: [ ]
--- a/roles/ipaclient/vars/RedHat-8.yml
+++ b/roles/ipaclient/vars/RedHat-8.yml
@@ -2,4 +2,3 @@
 # vars/RedHat-8.yml
 ---
 ipaclient_packages: [ "@idm:DL1/client" ]
 ipaclient_packages_dot: [ ]
--- a/roles/ipaclient/vars/Ubuntu-18.04.yml
+++ b/roles/ipaclient/vars/Ubuntu-18.04.yml
@@ -1,7 +1,6 @@
 # vars/Ubuntu-18.04.yml
 ---
 ipaclient_packages: [ "freeipa-client" ]
 ipaclient_packages_dot: [ ]
 # Ubuntu Bionic Beaver must use python2 as Python interpreter due
 # to the way python-ipalib package is defined.
 # Package python2.7 must be installed before executing this role.
--- a/roles/ipaclient/vars/default.yml
+++ b/roles/ipaclient/vars/default.yml
@@ -2,4 +2,3 @@
 # vars/default.yml
 ---
 ipaclient_packages: [ "ipa-client", "python3-libselinux" ]
 ipaclient_packages_dot: [ "ipa-client-encrypted-dns" ]
--- a/roles/ipareplica/README.md
+++ b/roles/ipareplica/README.md
@@ -270,11 +270,6 @@ Variable | Description | Required
 `ipareplica_auto_forwarders` | Add DNS forwarders configured in /etc/resolv.conf to the list of forwarders used by IPA DNS. (bool, default: false) | no
 `ipareplica_forward_policy` | DNS forwarding policy for global forwarders specified using other options. (choice: first,only) | no
 `ipareplica_no_dnssec_validation` | Disable DNSSEC validation on this server. (bool, default: false) | no
 `ipareplica_dot_forwarders` | List of DNS over TLS forwarders. Required if `ipareplica_dns_over_tls` is enabled. (list of strings) | no
 `ipareplica_dns_over_tls` \| `ipaclient_dns_over_tls` | Configure DNS over TLS. Requires FreeIPA version 4.12.5 or later. (bool, default: false) | no
 `ipareplica_dns_over_tls_cert` | Certificate to use for DNS over TLS. If empty, a new certificate will be requested from IPA CA. (string) | no
 `ipareplica_dns_over_tls_key` | Key for certificate specified in `ipareplica_dns_over_tls_cert`. (string) | no
 `ipareplica_dns_policy` | Encrypted DNS policy. Only usable if `ipareplica_dns_over_tls` is enabled. (choice: relaxed, enforced, default: relaxed) | no
 AD trust Variables
 ------------------
--- a/roles/ipareplica/library/ipareplica_prepare.py
+++ b/roles/ipareplica/library/ipareplica_prepare.py
@@ -224,32 +224,6 @@ options:
    type: bool
    default: no
    required: no
  dot_forwarders:
    description: List of DNS over TLS forwarders
    type: list
    elements: str
    default: []
    required: no
  dns_over_tls:
    description: Configure DNS over TLS
    type: bool
    default: no
    required: no
  dns_over_tls_cert:
    description:
      Certificate to use for DNS over TLS. If empty, a new
      certificate will be requested from IPA CA
    type: str
    required: no
  dns_over_tls_key:
    description: Key for certificate specified in dns_over_tls_cert
    type: str
    required: no
  dns_policy:
    description: Encrypted DNS policy
    type: str
    choices: ['relaxed', 'enforced']
    default: 'relaxed'
  enable_compat:
    description: Enable support for trusted domains for old clients
    type: bool
@@ -380,15 +354,6 @@ def main():
                                choices=['first', 'only'], default=None),
            no_dnssec_validation=dict(required=False, type='bool',
                                      default=False),
            dot_forwarders=dict(required=False, type='list', elements='str',
                                default=[]),
            dns_over_tls=dict(required=False, type='bool',
                              default=False),
            dns_over_tls_cert=dict(required=False, type='str'),
            dns_over_tls_key=dict(required=False, type='str'),
            dns_policy=dict(required=False, type='str',
                            choices=['relaxed', 'enforced'],
                            default='relaxed'),
            # ad trust
            enable_compat=dict(required=False, type='bool', default=False),
            netbios_name=dict(required=False, type='str'),
@@ -465,11 +430,6 @@ def main():
    options.forward_policy = ansible_module.params.get('forward_policy')
    options.no_dnssec_validation = ansible_module.params.get(
        'no_dnssec_validation')
    options.dot_forwarders = ansible_module.params.get('dot_forwarders')
    options.dns_over_tls = ansible_module.params.get('dns_over_tls')
    options.dns_over_tls_cert = ansible_module.params.get('dns_over_tls_cert')
    options.dns_over_tls_key = ansible_module.params.get('dns_over_tls_key')
    options.dns_policy = ansible_module.params.get('dns_policy')
    # ad trust
    options.enable_compat = ansible_module.params.get('enable_compat')
    options.netbios_name = ansible_module.params.get('netbios_name')
--- a/roles/ipareplica/library/ipareplica_setup_dns.py
+++ b/roles/ipareplica/library/ipareplica_setup_dns.py
@@ -72,32 +72,6 @@ options:
    type: bool
    default: no
    required: no
  dot_forwarders:
    description: List of DNS over TLS forwarders
    type: list
    elements: str
    default: []
    required: no
  dns_over_tls:
    description: Configure DNS over TLS
    type: bool
    default: no
    required: no
  dns_over_tls_cert:
    description:
      Certificate to use for DNS over TLS. If empty, a new
      certificate will be requested from IPA CA
    type: str
    required: no
  dns_over_tls_key:
    description: Key for certificate specified in dns_over_tls_cert
    type: str
    required: no
  dns_policy:
    description: Encrypted DNS policy
    type: str
    choices: ['relaxed', 'enforced']
    default: 'relaxed'
  dns_ip_addresses:
    description: The dns ip_addresses setting
    type: list
@@ -143,9 +117,6 @@ from ansible.module_utils.ansible_ipa_replica import (
    gen_ReplicaConfig, gen_remote_api, api, redirect_stdout, dns,
    ansible_module_get_parsed_ip_addresses
 )
 # pylint: disable=unused-import
 from ansible.module_utils.ansible_ipa_replica import bindinstance  # noqa: F401
 # pylint: enable=unused-import
 def main():
@@ -164,14 +135,6 @@ def main():
                                choices=['first', 'only'], default=None),
            no_dnssec_validation=dict(required=False, type='bool',
                                      default=False),
            dot_forwarders=dict(required=False, type='list', elements='str',
                                default=[]),
            dns_over_tls=dict(required=False, type='bool', default=False),
            dns_over_tls_cert=dict(required=False, type='str'),
            dns_over_tls_key=dict(required=False, type='str'),
            dns_policy=dict(required=False, type='str',
                            choices=['relaxed', 'enforced'],
                            default='relaxed'),
            # additional
            dns_ip_addresses=dict(required=True, type='list', elements='str'),
            dns_reverse_zones=dict(required=True, type='list', elements='str'),
@@ -204,11 +167,6 @@ def main():
    options.forward_policy = ansible_module.params.get('forward_policy')
    options.no_dnssec_validation = ansible_module.params.get(
        'no_dnssec_validation')
    options.dot_forwarders = ansible_module.params.get('dot_forwarders')
    options.dns_over_tls = ansible_module.params.get('dns_over_tls')
    options.dns_over_tls_cert = ansible_module.params.get('dns_over_tls_cert')
    options.dns_over_tls_key = ansible_module.params.get('dns_over_tls_key')
    options.dns_policy = ansible_module.params.get('dns_policy')
    # additional
    dns.ip_addresses = ansible_module_get_parsed_ip_addresses(
        ansible_module, 'dns_ip_addresses')
--- a/roles/ipareplica/library/ipareplica_test.py
+++ b/roles/ipareplica/library/ipareplica_test.py
@@ -181,32 +181,6 @@ options:
    type: bool
    default: no
    required: no
  dot_forwarders:
    description: List of DNS over TLS forwarders
    type: list
    elements: str
    default: []
    required: no
  dns_over_tls:
    description: Configure DNS over TLS
    type: bool
    default: no
    required: no
  dns_over_tls_cert:
    description:
      Certificate to use for DNS over TLS. If empty, a new
      certificate will be requested from IPA CA
    type: str
    required: no
  dns_over_tls_key:
    description: Key for certificate specified in dns_over_tls_cert
    type: str
    required: no
  dns_policy:
    description: Encrypted DNS policy
    type: str
    choices: ['relaxed', 'enforced']
    default: 'relaxed'
 author:
    - Thomas Woerner (@t-woerner)
 '''
@@ -225,8 +199,7 @@ from ansible.module_utils.ansible_ipa_replica import (
    paths, sysrestore, ansible_module_get_parsed_ip_addresses, service,
    redirect_stdout, create_ipa_conf, ipautil,
    x509, validate_domain_name, common_check,
-    IPA_PYTHON_VERSION, getargspec, adtrustinstance, install_ca_cert,
+    IPA_PYTHON_VERSION, getargspec, adtrustinstance, install_ca_cert
    services, CLIENT_SUPPORTS_NO_DNSSEC_VALIDATION
 )
@@ -277,14 +250,6 @@ def main():
                                choices=['first', 'only'], default=None),
            no_dnssec_validation=dict(required=False, type='bool',
                                      default=False),
            dot_forwarders=dict(required=False, type='list', elements='str',
                                default=[]),
            dns_over_tls=dict(required=False, type='bool', default=False),
            dns_over_tls_cert=dict(required=False, type='str'),
            dns_over_tls_key=dict(required=False, type='str'),
            dns_policy=dict(required=False, type='str',
                            choices=['relaxed', 'enforced'],
                            default='relaxed'),
        ),
    )
@@ -333,11 +298,6 @@ def main():
    options.forward_policy = ansible_module.params.get('forward_policy')
    options.no_dnssec_validation = ansible_module.params.get(
        'no_dnssec_validation')
    options.dot_forwarders = ansible_module.params.get('dot_forwarders')
    options.dns_over_tls = ansible_module.params.get('dns_over_tls')
    options.dns_over_tls_cert = ansible_module.params.get('dns_over_tls_cert')
    options.dns_over_tls_key = ansible_module.params.get('dns_over_tls_key')
    options.dns_policy = ansible_module.params.get('dns_policy')
    ##########################################################################
    # replica init ###########################################################
@@ -459,14 +419,6 @@ def main():
            ansible_module.fail_json(
                msg="You cannot specify a --no-dnssec-validation option "
                "without the --setup-dns option")
        if installer.dns_over_tls_cert:
            ansible_module.fail_json(
                msg="You cannot specify a --dns-over-tls-cert option "
                "without the --setup-dns option")
        if installer.dns_over_tls_key:
            ansible_module.fail_json(
                msg="You cannot specify a --dns-over-tls-key option "
                "without the --setup-dns option")
    elif installer.forwarders and installer.no_forwarders:
        ansible_module.fail_json(
            msg="You cannot specify a --forwarder option together with "
@@ -483,31 +435,6 @@ def main():
        ansible_module.fail_json(
            msg="You cannot specify a --auto-reverse option together with "
            "--no-reverse")
    elif installer.dot_forwarders and not installer.dns_over_tls:
        ansible_module.fail_json(
            msg="You cannot specify a --dot-forwarder option "
            "without the --dns-over-tls option")
    elif (installer.dns_over_tls
          and not services.knownservices["unbound"].is_installed()):
        ansible_module.fail_json(
            msg="To enable DNS over TLS, package ipa-server-encrypted-dns "
            "must be installed.")
    elif installer.dns_policy == "enforced" and not installer.dns_over_tls:
        ansible_module.fail_json(
            msg="You cannot specify a --dns-policy option "
            "without the --dns-over-tls option")
    elif installer.dns_over_tls_cert and not installer.dns_over_tls:
        ansible_module.fail_json(
            msg="You cannot specify a --dns-over-tls-cert option "
            "without the --dns-over-tls option")
    elif installer.dns_over_tls_key and not installer.dns_over_tls:
        ansible_module.fail_json(
            msg="You cannot specify a --dns-over-tls-key option "
            "without the --dns-over-tls option")
    elif bool(installer.dns_over_tls_key) != bool(installer.dns_over_tls_cert):
        ansible_module.fail_json(
            msg="You cannot specify a --dns-over-tls-key option "
            "without the --dns-over-tls-cert option and vice versa")
    # replica installers
    if installer.servers and not installer.domain_name:
@@ -522,10 +449,6 @@ def main():
            ansible_module.fail_json(
                msg="You must specify at least one of --forwarder, "
                "--auto-forwarders, or --no-forwarders options")
            if installer.dns_over_tls and not installer.dot_forwarders:
                ansible_module.fail_json(
                    msg="You must specify --dot-forwarder "
                    "when enabling DNS over TLS")
    if installer.dirsrv_config_file is not None and \
       not os.path.exists(installer.dirsrv_config_file):
@@ -563,11 +486,6 @@ def main():
    if installer.domain_name is not None:
        validate_domain_name(installer.domain_name)
    if installer.dns_over_tls and not CLIENT_SUPPORTS_NO_DNSSEC_VALIDATION:
        ansible_module.fail_json(
            msg="Important patches for DNS over TLS are missing in your "
            "IPA version.")
    ##########################################################################
    # replica promote_check excerpts #########################################
    ##########################################################################
--- a/roles/ipareplica/module_utils/ansible_ipa_replica.py
+++ b/roles/ipareplica/module_utils/ansible_ipa_replica.py
@@ -80,13 +80,6 @@ except ImportError:
 try:
    from contextlib import contextmanager as contextlib_contextmanager
    from ipapython.version import NUM_VERSION, VERSION
    try:
        from ipapython.version import parse_version
    except ImportError:
        # In IPA we either need pkg_resources or packaging Version
        # class to compare versions with check_remote_version, so
        # we let an exception to be raised if neither is available.
        from pkg_resources import parse_version
    if NUM_VERSION < 30201:
        # See ipapython/version.py
@@ -106,6 +99,8 @@ try:
        import dns.resolver as dnsresolver
        import dns.reversename as dnsreversename
        from pkg_resources import parse_version
        from ipaclient.install.ipachangeconf import IPAChangeConf
        from ipalib.install import certstore, sysrestore
        from ipapython.ipautil import ipa_generate_password
@@ -187,14 +182,6 @@ try:
            from ipaserver.install import ntpinstance
            time_service = "ntpd"  # pylint: disable=invalid-name
        try:
            CLIENT_SUPPORTS_NO_DNSSEC_VALIDATION = False
            from ipaclient.install.client import ClientInstallInterface
        except ImportError:
            pass
        else:
            if hasattr(ClientInstallInterface, "no_dnssec_validation"):
                CLIENT_SUPPORTS_NO_DNSSEC_VALIDATION = True
    else:
        # IPA version < 4.6
        raise RuntimeError("freeipa version '%s' is too old" % VERSION)
@@ -221,13 +208,11 @@ def setup_logging():
@contextlib_contextmanager
 def redirect_stdout(stream):
    old_stdout = sys.stdout
    sys.stdout = stream
    try:
        yield stream
    finally:
-        sys.stdout = old_stdout
+        sys.stdout = sys.__stdout__
 class AnsibleModuleLog():
@@ -347,6 +332,12 @@ options.add_agents = False
 options.subject_base = None
 options.ca_subject = None
 # Hotfix for https://github.com/freeipa/freeipa/pull/7343
 options.dns_over_tls = False
 options.dns_over_tls_key = None
 options.dns_over_tls_cert = None
 options.dot_forwarders = None
 options.dns_policy = None
 # pylint: enable=attribute-defined-outside-init
--- a/roles/ipareplica/tasks/install.yml
+++ b/roles/ipareplica/tasks/install.yml
@@ -1,42 +1,32 @@
 ---
 # tasks file for ipareplica
- name: Install - Set ipareplica__dns_over_lts
+- name: Package installation
  ansible.builtin.set_fact:
    ipareplica__dns_over_tls: "{{ ipareplica_dns_over_tls | default(ipaclient_dns_over_tls) | default(False) }}"
 - name: Install - Package installation
  when: ipareplica_install_packages | bool
  block:
-  - name: Install - Set packages for installation
+  - name: Install - Ensure IPA replica packages are installed
-    ansible.builtin.set_fact:
+    ansible.builtin.package:
-      _ipapackages: "{{ ipareplica_packages }}"
+      name: "{{ ipareplica_packages }}"
      state: present
-  - name: Install - Set packages for installlation, add DNS
+  - name: Install - Ensure IPA replica packages for dns are installed
-    ansible.builtin.set_fact:
+    ansible.builtin.package:
-      _ipapackages: "{{ _ipapackages + ipareplica_packages_dns }}"
+      name: "{{ ipareplica_packages_dns }}"
      state: present
    when: ipareplica_setup_dns | bool
-  - name: Install - Set packages for installlation, add DOT
+  - name: Install - Ensure IPA replica packages for adtrust are installed
-    ansible.builtin.set_fact:
+    ansible.builtin.package:
-      _ipapackages: "{{ _ipapackages + ipareplica_packages_dot }}"
+      name: "{{ ipareplica_packages_adtrust }}"
-    when: ipareplica__dns_over_tls | bool
+      state: present
  - name: Install - Set packages for installlation, add adtrust
    ansible.builtin.set_fact:
      _ipapackages: "{{ _ipapackages + ipareplica_packages_adtrust }}"
    when: ipareplica_setup_adtrust | bool
-  - name: Install - Set packages for installlation, add firewalld
+  - name: Install - Ensure that firewall packages installed
    ansible.builtin.set_fact:
      _ipapackages: "{{ _ipapackages + ipareplica_packages_firewalld }}"
    when: ipareplica_setup_firewalld | bool
  - name: Install - Ensure that packages are installed
    ansible.builtin.package:
-      name: "{{ _ipapackages }}"
+      name: "{{ ipareplica_packages_firewalld }}"
      state: present
    when: ipareplica_setup_firewalld | bool
 - name: Firewall configuration
  when: ipareplica_setup_firewalld | bool
@@ -114,11 +104,6 @@
    auto_forwarders: "{{ ipareplica_auto_forwarders }}"
    forward_policy: "{{ ipareplica_forward_policy | default(omit) }}"
    no_dnssec_validation: "{{ ipareplica_no_dnssec_validation }}"
    dot_forwarders: "{{ ipareplica_dot_forwarders | default([]) }}"
    dns_over_tls: "{{ ipareplica__dns_over_tls }}"
    dns_over_tls_cert: "{{ ipareplica_dns_over_tls_cert | default(omit) }}"
    dns_over_tls_key: "{{ ipareplica_dns_over_tls_key | default(omit) }}"
    dns_policy: "{{ ipareplica_dns_policy | default(omit) }}"
  register: result_ipareplica_test
 - name: Install - Deploy replica
@@ -142,8 +127,6 @@
      ipaclient_hostname: "{{ result_ipareplica_test.hostname }}"
      ipaclient_ip_addresses: "{{ ipareplica_ip_addresses | default(omit) }}"
      ipaclient_install_packages: "{{ ipareplica_install_packages }}"
      ipaclient_dns_over_tls: "{{ ipareplica__dns_over_tls }}"
      ipaclient_no_dnssec_validation: "{{ ipareplica_no_dnssec_validation }}"
    when: not result_ipareplica_test.client_enrolled
  - name: Install - Configure firewalld
@@ -157,8 +140,6 @@
      {{ "--add-service=freeipa-trust" if result_ipareplica_test.setup_adtrust
         else "" }}
      {{ "--add-service=dns" if ipareplica_setup_dns | bool else "" }}
      {{ "--add-service=dns-over-tls" if ipareplica__dns_over_tls | bool
         else "" }}
      {{ "--add-service=ntp" if not ipaclient_no_ntp | bool else "" }}
    when: ipareplica_setup_firewalld | bool
@@ -172,8 +153,6 @@
      {{ "--add-service=freeipa-trust" if result_ipareplica_test.setup_adtrust
         else "" }}
      {{ "--add-service=dns" if ipareplica_setup_dns | bool else "" }}
      {{ "--add-service=dns-over-tls" if ipareplica__dns_over_tls | bool
         else "" }}
      {{ "--add-service=ntp" if not ipaclient_no_ntp | bool else "" }}
    when: ipareplica_setup_firewalld | bool
@@ -222,11 +201,6 @@
      auto_forwarders: "{{ ipareplica_auto_forwarders }}"
      forward_policy: "{{ ipareplica_forward_policy | default(omit) }}"
      no_dnssec_validation: "{{ ipareplica_no_dnssec_validation }}"
      dot_forwarders: "{{ ipareplica_dot_forwarders | default([]) }}"
      dns_over_tls: "{{ ipareplica__dns_over_tls }}"
      dns_over_tls_cert: "{{ ipareplica_dns_over_tls_cert | default(omit) }}"
      dns_over_tls_key: "{{ ipareplica_dns_over_tls_key | default(omit) }}"
      dns_policy: "{{ ipareplica_dns_policy | default(omit) }}"
      ### ad trust ###
      enable_compat: "{{ ipareplica_enable_compat }}"
      netbios_name: "{{ ipareplica_netbios_name | default(omit) }}"
@@ -743,11 +717,6 @@
                          result_ipareplica_prepare.forward_policy is
                          not none else omit }}"
      no_dnssec_validation: "{{ ipareplica_no_dnssec_validation }}"
      dot_forwarders: "{{ ipareplica_dot_forwarders | default([]) }}"
      dns_over_tls: "{{ ipareplica__dns_over_tls }}"
      dns_over_tls_cert: "{{ ipareplica_dns_over_tls_cert | default(omit) }}"
      dns_over_tls_key: "{{ ipareplica_dns_over_tls_key | default(omit) }}"
      dns_policy: "{{ ipareplica_dns_policy | default(omit) }}"
      ### additional ###
      dns_ip_addresses: "{{ result_ipareplica_prepare.dns_ip_addresses }}"
      dns_reverse_zones: "{{ result_ipareplica_prepare.dns_reverse_zones }}"
--- a/roles/ipareplica/vars/Fedora.yml
+++ b/roles/ipareplica/vars/Fedora.yml
@@ -3,6 +3,5 @@
 ---
 ipareplica_packages: [ "freeipa-server", "python3-libselinux" ]
 ipareplica_packages_dns: [ "freeipa-server-dns" ]
 ipareplica_packages_dot: [ "freeipa-server-encrypted-dns" ]
 ipareplica_packages_adtrust: [ "freeipa-server-trust-ad" ]
 ipareplica_packages_firewalld: [ "firewalld" ]
--- a/roles/ipareplica/vars/RedHat-7.yml
+++ b/roles/ipareplica/vars/RedHat-7.yml
@@ -3,6 +3,5 @@
 ---
 ipareplica_packages: [ "ipa-server", "libselinux-python" ]
 ipareplica_packages_dns: [ "ipa-server-dns" ]
 ipareplica_packages_dot: [ ]
 ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
 ipareplica_packages_firewalld: [ "firewalld" ]
--- a/roles/ipareplica/vars/RedHat-8.yml
+++ b/roles/ipareplica/vars/RedHat-8.yml
@@ -3,6 +3,5 @@
 ---
 ipareplica_packages: [ "@idm:DL1/server" ]
 ipareplica_packages_dns: [ "@idm:DL1/dns" ]
 ipareplica_packages_dot: [ ]
 ipareplica_packages_adtrust: [ "@idm:DL1/adtrust" ]
 ipareplica_packages_firewalld: [ "firewalld" ]
--- a/roles/ipareplica/vars/Ubuntu-18.04.yml
+++ b/roles/ipareplica/vars/Ubuntu-18.04.yml
@@ -2,7 +2,6 @@
 ---
 ipareplica_packages: [ "freeipa-server" ]
 ipareplica_packages_dns: [ "freeipa-server-dns" ]
 ipareplica_packages_dot: [ ]
 ipareplica_packages_adtrust: [ "freeipa-server-trust-ad" ]
 ipareplica_packages_firewalld: [ "firewalld" ]
 # Ubuntu Bionic Beaver must use python2 as Python interpreter due
--- a/roles/ipareplica/vars/Ubuntu.yml
+++ b/roles/ipareplica/vars/Ubuntu.yml
@@ -3,6 +3,5 @@
 ---
 ipareplica_packages: [ "freeipa-server" ]
 ipareplica_packages_dns: [ "freeipa-server-dns" ]
 ipareplica_packages_dot: [ ]
 ipareplica_packages_adtrust: [ "freeipa-server-trust-ad" ]
 ipareplica_packages_firewalld: [ "firewalld" ]
--- a/roles/ipareplica/vars/default.yml
+++ b/roles/ipareplica/vars/default.yml
@@ -1,8 +1,7 @@
 # defaults file for ipareplica
 # vars/default.yml
 ---
-ipareplica_packages: [ "ipa-server", "python3-libselinux" ]
+ipareplica_packages: [ "freeipa-server", "python3-libselinux" ]
-ipareplica_packages_dns: [ "ipa-server-dns" ]
+ipareplica_packages_dns: [ "freeipa-server-dns" ]
-ipareplica_packages_dot: [ "ipa-server-encrypted-dns" ]
+ipareplica_packages_adtrust: [ "freeipa-server-trust-ad" ]
 ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
 ipareplica_packages_firewalld: [ "firewalld" ]
--- a/roles/ipaserver/README.md
+++ b/roles/ipaserver/README.md
@@ -343,12 +343,6 @@ Variable | Description | Required
 `ipaserver_auto_forwarders` | Add DNS forwarders configured in /etc/resolv.conf to the list of forwarders used by IPA DNS. (bool, default: false) | no
 `ipaserver_forward_policy` | DNS forwarding policy for global forwarders specified using other options. (choice: first, only) | no
 `ipaserver_no_dnssec_validation` | Disable DNSSEC validation on this server. (bool, default: false) | no
 `ipaserver_dot_forwarders` | List of DNS over TLS forwarders. Required if `ipaserver_dns_over_tls` is enabled. (list of strings) | no
 `ipaserver_dns_over_tls` \| `ipaclient_dns_over_tls` | Configure DNS over TLS. Requires FreeIPA version 4.12.5 or later. (bool, default: false) | no
 `ipaserver_dns_over_tls_cert` | Certificate to use for DNS over TLS. If empty, a new certificate will be requested from IPA CA. (string) | no
 `ipaserver_dns_over_tls_key` | Key for certificate specified in `ipaserver_dns_over_tls_cert`. (string) | no
 `ipaserver_dns_policy` | Encrypted DNS policy. Only usable if `ipaserver_dns_over_tls` is enabled. (choice: relaxed, enforced, default: relaxed) | no
 AD trust Variables
 ------------------
--- a/roles/ipaserver/library/ipaserver_prepare.py
+++ b/roles/ipaserver/library/ipaserver_prepare.py
@@ -174,32 +174,6 @@ options:
    type: bool
    default: no
    required: no
  dot_forwarders:
    description: List of DNS over TLS forwarders
    type: list
    elements: str
    default: []
    required: no
  dns_over_tls:
    description: Configure DNS over TLS
    type: bool
    default: no
    required: no
  dns_over_tls_cert:
    description:
      Certificate to use for DNS over TLS. If empty, a new
      certificate will be requested from IPA CA
    type: str
    required: no
  dns_over_tls_key:
    description: Key for certificate specified in dns_over_tls_cert
    type: str
    required: no
  dns_policy:
    description: Encrypted DNS policy
    type: str
    choices: ['relaxed', 'enforced']
    default: 'relaxed'
  enable_compat:
    description: Enable support for trusted domains for old clients
    type: bool
@@ -306,15 +280,6 @@ def main():
                                choices=['first', 'only'], default=None),
            no_dnssec_validation=dict(required=False, type='bool',
                                      default=False),
            dot_forwarders=dict(required=False, type='list', elements='str',
                                default=[]),
            dns_over_tls=dict(required=False, type='bool',
                              default=False),
            dns_over_tls_cert=dict(required=False, type='str'),
            dns_over_tls_key=dict(required=False, type='str'),
            dns_policy=dict(required=False, type='str',
                            choices=['relaxed', 'enforced'],
                            default='relaxed'),
            # ad trust
            enable_compat=dict(required=False, type='bool', default=False),
            netbios_name=dict(required=False, type='str'),
@@ -395,11 +360,6 @@ def main():
    options.forward_policy = ansible_module.params.get('forward_policy')
    options.no_dnssec_validation = ansible_module.params.get(
        'no_dnssec_validation')
    options.dot_forwarders = ansible_module.params.get('dot_forwarders')
    options.dns_over_tls = ansible_module.params.get('dns_over_tls')
    options.dns_over_tls_cert = ansible_module.params.get('dns_over_tls_cert')
    options.dns_over_tls_key = ansible_module.params.get('dns_over_tls_key')
    options.dns_policy = ansible_module.params.get('dns_policy')
    # ad trust
    options.enable_compat = ansible_module.params.get('enable_compat')
    options.netbios_name = ansible_module.params.get('netbios_name')
--- a/roles/ipaserver/library/ipaserver_setup_dns.py
+++ b/roles/ipaserver/library/ipaserver_setup_dns.py
@@ -83,32 +83,6 @@ options:
    type: bool
    default: no
    required: no
  dot_forwarders:
    description: List of DNS over TLS forwarders
    type: list
    elements: str
    default: []
    required: no
  dns_over_tls:
    description: Configure DNS over TLS
    type: bool
    default: no
    required: no
  dns_over_tls_cert:
    description:
      Certificate to use for DNS over TLS. If empty, a new
      certificate will be requested from IPA CA
    type: str
    required: no
  dns_over_tls_key:
    description: Key for certificate specified in dns_over_tls_cert
    type: str
    required: no
  dns_policy:
    description: Encrypted DNS policy
    type: str
    choices: ['relaxed', 'enforced']
    default: 'relaxed'
  dns_ip_addresses:
    description: The dns ip_addresses setting
    type: list
@@ -133,13 +107,9 @@ from ansible.module_utils.basic import AnsibleModule
 from ansible.module_utils.ansible_ipa_server import (
    check_imports, AnsibleModuleLog, setup_logging, options, paths, dns,
    ansible_module_get_parsed_ip_addresses, sysrestore, api_Backend_ldap2,
-    redirect_stdout
+    redirect_stdout, bindinstance
 )
 # pylint: disable=unused-import
 from ansible.module_utils.ansible_ipa_server import bindinstance  # noqa: F401
 # pylint: enable=unused-import
 def main():
    ansible_module = AnsibleModule(
@@ -160,14 +130,6 @@ def main():
                                default='first'),
            no_dnssec_validation=dict(required=False, type='bool',
                                      default=False),
            dot_forwarders=dict(required=False, type='list', elements='str',
                                default=[]),
            dns_over_tls=dict(required=False, type='bool', default=False),
            dns_over_tls_cert=dict(required=False, type='str'),
            dns_over_tls_key=dict(required=False, type='str'),
            dns_policy=dict(required=False, type='str',
                            choices=['relaxed', 'enforced'],
                            default='relaxed'),
            # additional
            dns_ip_addresses=dict(required=True, type='list', elements='str'),
            dns_reverse_zones=dict(required=True, type='list', elements='str'),
@@ -196,11 +158,6 @@ def main():
    options.forward_policy = ansible_module.params.get('forward_policy')
    options.no_dnssec_validation = ansible_module.params.get(
        'no_dnssec_validation')
    options.dot_forwarders = ansible_module.params.get('dot_forwarders')
    options.dns_over_tls = ansible_module.params.get('dns_over_tls')
    options.dns_over_tls_cert = ansible_module.params.get('dns_over_tls_cert')
    options.dns_over_tls_key = ansible_module.params.get('dns_over_tls_key')
    options.dns_policy = ansible_module.params.get('dns_policy')
    # additional
    dns.ip_addresses = ansible_module_get_parsed_ip_addresses(
        ansible_module, 'dns_ip_addresses')
@@ -208,16 +165,25 @@ def main():
    # init ##################################################################
-    # pylint: disable=unused-variable
+    fstore = sysrestore.FileStore(paths.SYSRESTORE)
    fstore = sysrestore.FileStore(paths.SYSRESTORE)  # noqa: F841
    # pylint: enable=unused-variable
    api_Backend_ldap2(options.host_name, options.setup_ca, connect=True)
    # setup dns #############################################################
    with redirect_stdout(ansible_log):
-        dns.install(False, False, options)
+        if options.setup_dns:
            dns.install(False, False, options)
        else:
            # Create a BIND instance
            bind = bindinstance.BindInstance(fstore)
            bind.set_output(ansible_log)
            bind.setup(options.host_name, options.ip_addresses,
                       options.realm_name,
                       options.domain_name, (), 'first', (),
                       zonemgr=options.zonemgr,
                       no_dnssec_validation=options.no_dnssec_validation)
            bind.create_file_with_system_records()
    # done ##################################################################
--- a/roles/ipaserver/library/ipaserver_test.py
+++ b/roles/ipaserver/library/ipaserver_test.py
@@ -265,32 +265,6 @@ options:
    type: bool
    default: no
    required: no
  dot_forwarders:
    description: List of DNS over TLS forwarders
    type: list
    elements: str
    default: []
    required: no
  dns_over_tls:
    description: Configure DNS over TLS
    type: bool
    default: no
    required: no
  dns_over_tls_cert:
    description:
      Certificate to use for DNS over TLS. If empty, a new
      certificate will be requested from IPA CA
    type: str
    required: no
  dns_over_tls_key:
    description: Key for certificate specified in dns_over_tls_cert
    type: str
    required: no
  dns_policy:
    description: Encrypted DNS policy
    type: str
    choices: ['relaxed', 'enforced']
    default: 'relaxed'
  enable_compat:
    description: Enable support for trusted domains for old clients
    type: bool
@@ -338,8 +312,7 @@ from ansible.module_utils.ansible_ipa_server import (
    check_dirsrv, ScriptError, get_fqdn, verify_fqdn, BadHostError,
    validate_domain_name, load_pkcs12, IPA_PYTHON_VERSION,
    encode_certificate, check_available_memory, getargspec, adtrustinstance,
-    get_min_idstart, SerialNumber, services, service,
+    get_min_idstart, SerialNumber
    CLIENT_SUPPORTS_NO_DNSSEC_VALIDATION
 )
 from ansible.module_utils import six
@@ -423,14 +396,6 @@ def main():
                                choices=['first', 'only'], default=None),
            no_dnssec_validation=dict(required=False, type='bool',
                                      default=False),
            dot_forwarders=dict(required=False, type='list', elements='str',
                                default=[]),
            dns_over_tls=dict(required=False, type='bool', default=False),
            dns_over_tls_cert=dict(required=False, type='str'),
            dns_over_tls_key=dict(required=False, type='str'),
            dns_policy=dict(required=False, type='str',
                            choices=['relaxed', 'enforced'],
                            default='relaxed'),
            # ad trust
            enable_compat=dict(required=False, type='bool', default=False),
            netbios_name=dict(required=False, type='str'),
@@ -517,11 +482,6 @@ def main():
    options.forward_policy = ansible_module.params.get('forward_policy')
    options.no_dnssec_validation = ansible_module.params.get(
        'no_dnssec_validation')
    options.dot_forwarders = ansible_module.params.get('dot_forwarders')
    options.dns_over_tls = ansible_module.params.get('dns_over_tls')
    options.dns_over_tls_cert = ansible_module.params.get('dns_over_tls_cert')
    options.dns_over_tls_key = ansible_module.params.get('dns_over_tls_key')
    options.dns_policy = ansible_module.params.get('dns_policy')
    # ad trust
    options.enable_compat = ansible_module.params.get('enable_compat')
    options.netbios_name = ansible_module.params.get('netbios_name')
@@ -643,14 +603,6 @@ def main():
                raise RuntimeError(
                    "You cannot specify a --no-dnssec-validation option "
                    "without the --setup-dns option")
            if self.dns_over_tls_cert:
                raise RuntimeError(
                    "You cannot specify a --dns-over-tls-cert option "
                    "without the --setup-dns option")
            if self.dns_over_tls_key:
                raise RuntimeError(
                    "You cannot specify a --dns-over-tls-key option "
                    "without the --setup-dns option")
        elif self.forwarders and self.no_forwarders:
            raise RuntimeError(
                "You cannot specify a --forwarder option together with "
@@ -667,31 +619,7 @@ def main():
            raise RuntimeError(
                "You cannot specify a --auto-reverse option together with "
                "--no-reverse")
-        elif self.dot_forwarders and not self.dns_over_tls:
+
            raise RuntimeError(
                "You cannot specify a --dot-forwarder option "
                "without the --dns-over-tls option")
        elif (self.dns_over_tls
              and not services.knownservices["unbound"].is_installed()):
            raise RuntimeError(
                "To enable DNS over TLS, package ipa-server-encrypted-dns "
                "must be installed.")
        elif self.dns_policy == "enforced" and not self.dns_over_tls:
            raise RuntimeError(
                "You cannot specify a --dns-policy option "
                "without the --dns-over-tls option")
        elif self.dns_over_tls_cert and not self.dns_over_tls:
            raise RuntimeError(
                "You cannot specify a --dns-over-tls-cert option "
                "without the --dns-over-tls option")
        elif self.dns_over_tls_key and not self.dns_over_tls:
            raise RuntimeError(
                "You cannot specify a --dns-over-tls-key option "
                "without the --dns-over-tls option")
        elif bool(self.dns_over_tls_key) != bool(self.dns_over_tls_cert):
            raise RuntimeError(
                "You cannot specify a --dns-over-tls-key option "
                "without the --dns-over-tls-cert option and vice versa")
        if not self.setup_adtrust:
            if self.add_agents:
                raise RuntimeError(
@@ -749,10 +677,6 @@ def main():
                        raise RuntimeError(
                            "You must specify at least one of --forwarder, "
                            "--auto-forwarders, or --no-forwarders options")
                    if self.dns_over_tls and not self.dot_forwarders:
                        raise RuntimeError(
                            "You must specify --dot-forwarder "
                            "when enabling DNS over TLS")
            any_ignore_option_true = any(
                [self.ignore_topology_disconnect, self.ignore_last_of_role])
@@ -795,19 +719,6 @@ def main():
    # #######################################################################
    if options.dns_over_tls and not CLIENT_SUPPORTS_NO_DNSSEC_VALIDATION:
        ansible_module.fail_json(
            msg="Important patches for DNS over TLS are missing in your "
            "IPA version.")
    client_dns_over_tls = self.dns_over_tls
    if self.dns_over_tls and not self.setup_dns:
        service.print_msg("Warning: --dns-over-tls option "
                          "specified without --setup-dns, ignoring")
        client_dns_over_tls = False
    # #######################################################################
    # If any of the key file options are selected, all are required.
    cert_file_req = (options.dirsrv_cert_files, options.http_cert_files)
    cert_file_opt = (options.pkinit_cert_files,)
@@ -1297,7 +1208,6 @@ def main():
        domainlevel=options.domainlevel,
        sid_generation_always=sid_generation_always,
        random_serial_numbers=options._random_serial_numbers,
        client_dns_over_tls=client_dns_over_tls
    )
--- a/roles/ipaserver/module_utils/ansible_ipa_server.py
+++ b/roles/ipaserver/module_utils/ansible_ipa_server.py
@@ -216,14 +216,6 @@ try:
        except ImportError:
            SerialNumber = None
        try:
            CLIENT_SUPPORTS_NO_DNSSEC_VALIDATION = False
            from ipaclient.install.client import ClientInstallInterface
        except ImportError:
            pass
        else:
            if hasattr(ClientInstallInterface, "no_dnssec_validation"):
                CLIENT_SUPPORTS_NO_DNSSEC_VALIDATION = True
    else:
        # IPA version < 4.5
        raise RuntimeError("freeipa version '%s' is too old" % VERSION)
@@ -249,13 +241,11 @@ def setup_logging():
@contextlib_contextmanager
 def redirect_stdout(stream):
    old_stdout = sys.stdout
    sys.stdout = stream
    try:
        yield stream
    finally:
-        sys.stdout = old_stdout
+        sys.stdout = sys.__stdout__
 class AnsibleModuleLog():
@@ -364,6 +354,13 @@ options.add_agents = False
 # no_msdcs is deprecated
 options.no_msdcs = False
 # Hotfix for https://github.com/freeipa/freeipa/pull/7343
 options.dns_over_tls = False
 options.dns_over_tls_key = None
 options.dns_over_tls_cert = None
 options.dot_forwarders = None
 options.dns_policy = None
 # For pylint
 options.external_cert_files = None
 options.dirsrv_cert_files = None
--- a/roles/ipaserver/tasks/install.yml
+++ b/roles/ipaserver/tasks/install.yml
@@ -1,42 +1,32 @@
 ---
 # tasks file for ipaserver
 - name: Install - Set ipaserver__dns_over_lts
  ansible.builtin.set_fact:
    ipaserver__dns_over_tls: "{{ ipaserver_dns_over_tls | default(ipaclient_dns_over_tls) | default(False) }}"
 - name: Install - Package installation
  when: ipaserver_install_packages | bool
  block:
  - name: Install - Ensure that IPA server packages are installed
    ansible.builtin.package:
      name: "{{ ipaserver_packages }}"
      state: present
-  - name: Install - Set packages for installation
+  - name: Install - Ensure that IPA server packages for dns are installed
-    ansible.builtin.set_fact:
+    ansible.builtin.package:
-      _ipapackages: "{{ ipaserver_packages }}"
+      name: "{{ ipaserver_packages_dns }}"
-
+      state: present
  - name: Install - Set packages for installlation, add DNS
    ansible.builtin.set_fact:
      _ipapackages: "{{ _ipapackages + ipaserver_packages_dns }}"
    when: ipaserver_setup_dns | bool
-  - name: Install - Set packages for installlation, add DOT
+  - name: Install - Ensure that IPA server packages for adtrust are installed
-    ansible.builtin.set_fact:
+    ansible.builtin.package:
-      _ipapackages: "{{ _ipapackages + ipaserver_packages_dot }}"
+      name: "{{ ipaserver_packages_adtrust }}"
-    when: ipaserver__dns_over_tls | bool
+      state: present
  - name: Install - Set packages for installlation, add adtrust
    ansible.builtin.set_fact:
      _ipapackages: "{{ _ipapackages + ipaserver_packages_adtrust }}"
    when: ipaserver_setup_adtrust | bool
-  - name: Install - Set packages for installlation, add firewalld
+  - name: Install - Ensure that firewall packages installed
-    ansible.builtin.set_fact:
+    ansible.builtin.package:
-      _ipapackages: "{{ _ipapackages + ipaserver_packages_firewalld }}"
+      name: "{{ ipaserver_packages_firewalld }}"
      state: present
    when: ipaserver_setup_firewalld | bool
  - name: Install - Ensure that packages are installed
    ansible.builtin.package:
      name: "{{ _ipapackages }}"
      state: present
 - name: Install - Firewall configuration
  when: ipaserver_setup_firewalld | bool
@@ -131,11 +121,6 @@
    auto_forwarders: "{{ ipaserver_auto_forwarders }}"
    forward_policy: "{{ ipaserver_forward_policy | default(omit) }}"
    no_dnssec_validation: "{{ ipaserver_no_dnssec_validation }}"
    dot_forwarders: "{{ ipaserver_dot_forwarders | default([]) }}"
    dns_over_tls: "{{ ipaserver__dns_over_tls }}"
    dns_over_tls_cert: "{{ ipaserver_dns_over_tls_cert | default(omit) }}"
    dns_over_tls_key: "{{ ipaserver_dns_over_tls_key | default(omit) }}"
    dns_policy: "{{ ipaserver_dns_policy | default(omit) }}"
    ### ad trust ###
    enable_compat: "{{ ipaserver_enable_compat }}"
    netbios_name: "{{ ipaserver_netbios_name | default(omit) }}"
@@ -207,11 +192,6 @@
      auto_forwarders: "{{ ipaserver_auto_forwarders }}"
      forward_policy: "{{ ipaserver_forward_policy | default(omit) }}"
      no_dnssec_validation: "{{ ipaserver_no_dnssec_validation }}"
      dot_forwarders: "{{ ipaserver_dot_forwarders | default([]) }}"
      dns_over_tls: "{{ ipaserver__dns_over_tls }}"
      dns_over_tls_cert: "{{ ipaserver_dns_over_tls_cert | default(omit) }}"
      dns_over_tls_key: "{{ ipaserver_dns_over_tls_key | default(omit) }}"
      dns_policy: "{{ ipaserver_dns_policy | default(omit) }}"
      ### ad trust ###
      enable_compat: "{{ ipaserver_enable_compat }}"
      netbios_name: "{{ ipaserver_netbios_name | default(omit) }}"
@@ -401,11 +381,6 @@
        forward_policy: "{{ result_ipaserver_prepare.forward_policy }}"
        zonemgr: "{{ ipaserver_zonemgr | default(omit) }}"
        no_dnssec_validation: "{{ result_ipaserver_prepare.no_dnssec_validation }}"
        dot_forwarders: "{{ ipaserver_dot_forwarders | default([]) }}"
        dns_over_tls: "{{ ipaserver__dns_over_tls }}"
        dns_over_tls_cert: "{{ ipaserver_dns_over_tls_cert | default(omit) }}"
        dns_over_tls_key: "{{ ipaserver_dns_over_tls_key | default(omit) }}"
        dns_policy: "{{ ipaserver_dns_policy | default(omit) }}"
        ### additional ###
        dns_ip_addresses: "{{ result_ipaserver_prepare.dns_ip_addresses }}"
        dns_reverse_zones: "{{ result_ipaserver_prepare.dns_reverse_zones }}"
@@ -457,7 +432,6 @@
        ipaclient_no_ntp:
          "{{ 'true' if result_ipaserver_test.ipa_python_version >= 40690
               else 'false' }}"
        ipaclient_dns_over_tls: "{{ result_ipaserver_test.client_dns_over_tls }}"
        ipaclient_install_packages: no
    - name: Install - Enable IPA
@@ -478,8 +452,6 @@
        {{ "--add-service=freeipa-trust" if ipaserver_setup_adtrust | bool
           else "" }}
        {{ "--add-service=dns" if ipaserver_setup_dns | bool else "" }}
        {{ "--add-service=dns-over-tls" if ipaserver__dns_over_tls | bool
           else "" }}
        {{ "--add-service=ntp" if not ipaclient_no_ntp | bool else "" }}
      when: ipaserver_setup_firewalld | bool
@@ -493,8 +465,6 @@
        {{ "--add-service=freeipa-trust" if ipaserver_setup_adtrust | bool
           else "" }}
        {{ "--add-service=dns" if ipaserver_setup_dns | bool else "" }}
        {{ "--add-service=dns-over-tls" if ipaserver__dns_over_tls | bool
           else "" }}
        {{ "--add-service=ntp" if not ipaclient_no_ntp | bool else "" }}
      when: ipaserver_setup_firewalld | bool
--- a/roles/ipaserver/vars/Fedora.yml
+++ b/roles/ipaserver/vars/Fedora.yml
@@ -3,6 +3,5 @@
 ---
 ipaserver_packages: [ "freeipa-server", "python3-libselinux" ]
 ipaserver_packages_dns: [ "freeipa-server-dns" ]
 ipaserver_packages_dot: [ "freeipa-server-encrypted-dns" ]
 ipaserver_packages_adtrust: [ "freeipa-server-trust-ad" ]
 ipaserver_packages_firewalld: [ "firewalld" ]
--- a/roles/ipaserver/vars/RedHat-7.yml
+++ b/roles/ipaserver/vars/RedHat-7.yml
@@ -3,6 +3,5 @@
 ---
 ipaserver_packages: [ "ipa-server", "libselinux-python" ]
 ipaserver_packages_dns: [ "ipa-server-dns" ]
 ipaserver_packages_dot: [ ]
 ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
 ipaserver_packages_firewalld: [ "firewalld" ]
--- a/roles/ipaserver/vars/RedHat-8.yml
+++ b/roles/ipaserver/vars/RedHat-8.yml
@@ -3,6 +3,5 @@
 ---
 ipaserver_packages: [ "@idm:DL1/server" ]
 ipaserver_packages_dns: [ "@idm:DL1/dns" ]
 ipaserver_packages_dot: [ ]
 ipaserver_packages_adtrust: [ "@idm:DL1/adtrust" ]
 ipaserver_packages_firewalld: [ "firewalld" ]
--- a/roles/ipaserver/vars/Ubuntu-18.04.yml
+++ b/roles/ipaserver/vars/Ubuntu-18.04.yml
@@ -2,7 +2,6 @@
 ---
 ipaserver_packages: [ "freeipa-server" ]
 ipaserver_packages_dns: [ "freeipa-server-dns" ]
 ipaserver_packages_dot: [ ]
 ipaserver_packages_adtrust: [ "freeipa-server-trust-ad" ]
 ipaserver_packages_firewalld: [ "firewalld" ]
 # Ubuntu Bionic Beaver must use python2 as Python interpreter due
--- a/roles/ipaserver/vars/Ubuntu.yml
+++ b/roles/ipaserver/vars/Ubuntu.yml
@@ -3,6 +3,5 @@
 ---
 ipaserver_packages: [ "freeipa-server" ]
 ipaserver_packages_dns: [ "freeipa-server-dns" ]
 ipaserver_packages_dot: [ ]
 ipaserver_packages_adtrust: [ "freeipa-server-trust-ad" ]
 ipaserver_packages_firewalld: [ "firewalld" ]
--- a/roles/ipaserver/vars/default.yml
+++ b/roles/ipaserver/vars/default.yml
@@ -3,6 +3,5 @@
 ---
 ipaserver_packages: [ "ipa-server", "python3-libselinux" ]
 ipaserver_packages_dns: [ "ipa-server-dns" ]
 ipaserver_packages_dot: [ "ipa-server-encrypted-dns" ]
 ipaserver_packages_adtrust: [ "freeipa-server-trust-ad" ]
 ipaserver_packages_firewalld: [ "firewalld" ]
--- a/tests/idrange/test_idrange.yml
+++ b/tests/idrange/test_idrange.yml
@@ -36,50 +36,6 @@
  # Test local idrange, only if ipa-adtrust-install was not executed.
  - name: Test local idrange
    block:
      - name: Can't add idrange without base_id
        ipaidrange:
          ipaadmin_password: SomeADMINpassword
          ipaapi_context: "{{ ipa_context | default(omit) }}"
          name: local_id_range
          range_size: 200000
          rid_base: 1000000
          secondary_rid_base: 200000000
        register: result
        failed_when: "not (result.failed and 'Missing required parameters: base_id' in result.msg)"
      - name: Can't add idrange without range_size
        ipaidrange:
          ipaadmin_password: SomeADMINpassword
          ipaapi_context: "{{ ipa_context | default(omit) }}"
          name: local_id_range
          base_id: 150000000
          rid_base: 1000000
          secondary_rid_base: 200000000
        register: result
        failed_when: "not (result.failed and 'Missing required parameters: range_size' in result.msg)"
      - name: Can't add idrange without rid_base
        ipaidrange:
          ipaadmin_password: SomeADMINpassword
          ipaapi_context: "{{ ipa_context | default(omit) }}"
          name: local_id_range
          base_id: 150000000
          range_size: 200000
          secondary_rid_base: 200000000
        register: result
        failed_when: "not (result.failed and 'Missing required parameters: rid_base' in result.msg)"
      - name: Can't add idrange without secondary_rid_base
        ipaidrange:
          ipaadmin_password: SomeADMINpassword
          ipaapi_context: "{{ ipa_context | default(omit) }}"
          name: local_id_range
          base_id: 150000000
          range_size: 200000
          rid_base: 1000000
        register: result
        failed_when: "not (result.failed and 'Missing required parameters: secondary_rid_base' in result.msg)"
      - name: Ensure idrange with minimal attributes is present
        ipaidrange:
          ipaadmin_password: SomeADMINpassword
@@ -87,8 +43,6 @@
          name: local_id_range
          base_id: 150000000
          range_size: 200000
          rid_base: 1000000
          secondary_rid_base: 200000000
        register: result
        failed_when:
          not (result.failed or result.changed) or (result.failed and 'ipa-adtrust-install has already been run' not in result.msg)
@@ -100,8 +54,6 @@
          name: local_id_range
          base_id: 150000000
          range_size: 200000
          rid_base: 1000000
          secondary_rid_base: 200000000
        register: result
        failed_when:
          result.changed or (result.failed and 'ipa-adtrust-install has already been run' not in result.msg)
@@ -166,7 +118,6 @@
          ipaadmin_password: SomeADMINpassword
          ipaapi_context: "{{ ipa_context | default(omit) }}"
          name: local_id_range
          state: absent
  - name: Execute idrange tests if trust test environment is supported
    when: trust_test_is_supported | default(false)
--- a/tests/service/env_cleanup.yml
+++ b/tests/service/env_cleanup.yml
@@ -31,7 +31,7 @@
      - "{{ host2_fqdn }}"
      - "{{ nohost_fqdn }}"
      - svc.ihavenodns.info
-    update_dns: true
+    update_dns: no
    state: absent
 - name: Ensure testing users are absent.
--- a/utils/setup_test_container.sh
+++ b/utils/setup_test_container.sh
@@ -79,20 +79,6 @@ shift
 prepare_container "${scenario}" "${IMAGE_TAG}"
 start_container "${scenario}"
 log info "Wait till systemd-journald is running"
 max=20
 wait=2
 count=0
 while ! podman exec "${scenario}" ps -x | grep -q "systemd-journald"
 do
    if [ $count -ge $max ]; then
        die "Timeout: systemd-journald is not starting up"
    fi
    count=$((count+1))
    log none "Waiting ${wait} seconds .."
    sleep ${wait}
 done
 # wait for FreeIPA services to be available (usually ~45 seconds)
 log info "Wait for container to be initialized."
 wait=15